Defending Against Today’s Mobile Device Security Threats

March
08th,
2018

Mobile devices today are ubiquitous. In short order, they have become a reliable go-to for everything from storing contacts, to working on-the-go, to paying for groceries. They absolutely have a place in business too, as according to a 2016 report by the Information Security Media Group, 99% of employees use personal smartphones to do their jobs. There’s no question that the device in everyone’s pocket or purse is both convenient and a great way to stay connected and productive…but what are the business risks?

A big challenge when it comes to protecting smartphones and tablets is that mobile device security has not necessarily kept pace with traditional computer and network security.

But equally challenging is the behavior of smartphone owners, as there is a perception that cybersecurity threats and concerns don’t apply to mobile devices. People – even those who abide by all network security best practices on desktop - generally seem to feel that their mobile device is exempt from those same cyber threats.

Unfortunately, that is not the case.

This combination of popularity, relaxed attitudes about protecting mobile devices, and less-than-stellar security has in fact made mobile devices an enticing target for cybercriminals, and somewhat of a headache for businesses.

These threats come in the form of mobile malware, authentication attacks, man-in-the-middle (MiTM) attacks or simply by exploiting known vulnerabilities. Mobile malware has a variety of forms, including phishing/spear phishing, trojans, keyloggers, bank trojans, ransomware and adware or spyware.

The volume of mobile malware is still a fraction of what it is for desktops, but it is most certainly on the rise. According to the Intel Security/McAfee April 2017 trends report, approximately 15 million different mobile malware variants had been detected at the end of 2016, up from just under 8 million the previous year.

First Step: Education

While there are numerous workplace solutions for this – including Mobile Device Management, or implementing a BYOD (bring your own device) policy – education is a critical piece of the mobile device security puzzle.

It’s essential that every employee understands the need to protect the company data accessible through his or her personal device, as well as their own personal information.

As a business leader, we recommend that you teach employees about device security as a means of reducing the company’s cyber risks. This can take the form of an official BOYD policy or become part of a general culture of cyber awareness and your ongoing cybersecurity education and training strategy.

Either way, start with coming to the understanding that smartphones and other connected devices like smart watches aren’t automatically protected in the way that standard network equipment is, and that more proactive measures are required.

For example, many smartphone users aren’t aware of the timeline for “end of life” support for their device. And the lifecycle for support for a smartphone tends to be shorter and less publicized than that of a standard operating system like Microsoft Windows, which means that a phone can reach end of support in just 2-3 years, and the owner might not have any idea.

Additionally, mobile devices generally are not encrypted, which means if you’re using public Wi-Fi, any data on that phone is going to be pretty easily accessible to a hacker. There are encrypted mobile communications solutions on the market, but they aren’t the default – they must be installed and enabled separately.

It’s also important for every smartphone user to recognize that the default – and recommended – method of acquiring any mobile applications or software is via the authorized app store.

Both Apple and Google scan all applications in their respective app stores in an effort to detect any potentially malicious apps. While it’s certainly possible to get mobile malware from an app in the authorized store, the risks are significantly less than if you download software from an unknown third-party source.

Finally, whether you enable a tech-based Mobile Device Management solution to implement this practice, or you rely on smartphone owners to enable the capability, make sure that any device that has access to company data can be remotely wiped in the event that it is lost or stolen. Below are links to more information on how to enable that feature:

To erase an Apple device (this includes iPhones, iPads, Apple Watch or Mac), follow these steps.

While your mobile security landscape will entirely depend on your workplace environment, your BYOD policy, your MDM policy, and your existing security protocols, it is crucial that you understand your current risks so that you can take the steps to correct them.

This may include working with your IT provider to implement an MDM solution, if necessary.

It should certainly include at least a conversation (or more formal consultation) with your IT provider to ensure that your overall network security accounts for the use of mobile devices.

The biggest lesson though is that when it comes to protecting a mobile device, an increased awareness of the risks and a common sense approach to defending against them really will go a long way.

Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use!